The root cause of identity theft in USA and some other places is the lack of "proper" national identity and the associated use of various personal "secrets" (not that secret) for identity verification because there are no good easy other ways.

Businesses in Scandinavia and many other countries would not treat someone knowing your personal information as any evidence of identity (because it's not); having all that information is not sufficient to impersonate you there - identity theft does happen but it would require stealing or forging physical documents or actual credentials to things like bank accounts; knowing all of what your mother or spouse would know is not enough to e.g. get credit or get valuable goods in your name.

The current bills (e.g. NY one at https://www.nysenate.gov/legislation/bills/2025/S8102/amendm... ) require age assurance that goes beyond mere assertions, so when creating your (adult) user account it would be required to give away your privacy to prove your age - if you can't implement a way for anonymous/pseudonymous people to verify that they indeed are adults (and not kids claiming to be so), these bills prohibit you to manufacture internet-connected systems that can be used by anonymous/pseudonymous users.

That would be a violation of the copyright law or the GPL licence - you aren't permitted to take GPL code and redistribute it with some extra restrictions added on to it.

If it's not (fully) your code, you aren't free to set the licence conditions; Linus can't do that without getting approval from 100% (not 99% or so) of authors who contributed code.

What one can do is add an informative disclaimer saying "To the best of our knowledge, installing or running this thing in California is prohibited - we permit to do whatever you want with it, but how you'll comply with that law is your business".

What I'm confused about is how the proposed bills would apply to servers.

Like, in general, a software change to add an "age class" attribute to user accounts and a syscall "what's this attribute for the current user account" would satisfy the California bill and that's a relatively minor change (the bad part is the NY bill that allegedly requires technical verification of whatever the user claimed).

The weird issue is how should that attribute be filled for the 'root' or 'www-data' user of a linux machine I have on the cloud. Or, to put aside open source for that matter, the Administrator account on a Windows Active Directory system.

Because "user accounts" don't necessarily have any mapping (much less a 1-to-1 mapping) to a person; many user accounts are personal but many are not.

The key parameter for swap size is "how memory-hungry things you want to run", which isn't easy to measure, but paying for installed RAM is a somewhat usable proxy metric for that. If you were happy with 8gb, it's some evidence that your apps don't need much memory (and swap), but if you needed to pay for an upgrade to 32gb, that's some evidence that you're the kind of user who needs much more swap than those with 8gb of RAM.